karcher

Ok. Let me see if I can get more data from my ISP on what the offending traffic was, or run some tests with/without the plug-in enabled and see if I can get you more information. This may take me a few days.

Kat

Oops. Yes, I think I got the wrong plugin. Sorry about that ??

Yep. Before I saw your post I saw another response to a different mal-formed xml problem that mentioned the wp-config. I had edited it through my ftp app, which I *won’t* be doing again.

I re-started with the 2.7.1 wp-config-sample.php, edited for my data, and re-uploaded it, and that seemed to fix the problem. Although Firefox continued to whine until I restarted it.

Thanks!

Well, validator.w3.org says all my feeds are valid.

Not sure why firefox, feedvalidator and other apps pulling my feed into places like facebook don’t like it.

Oh, and to answer the question, the other feeds seem borked as well. So is my comments feed.

Although I don’t know what application to use to “view” an atom feed.

When I view the page source from my feed, it looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
	xmlns:content="https://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="https://wellformedweb.org/CommentAPI/"
	xmlns:dc="https://purl.org/dc/elements/1.1/"
	xmlns:atom="https://www.w3.org/2005/Atom"
	xmlns:sy="https://purl.org/rss/1.0/modules/syndication/"
	>

When I view the page source from another site’s working feed, it looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
	xmlns:content="https://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="https://wellformedweb.org/CommentAPI/"
	xmlns:dc="https://purl.org/dc/elements/1.1/"
	xmlns:atom="https://www.w3.org/2005/Atom"
	xmlns:sy="https://purl.org/rss/1.0/modules/syndication/"
	xmlns:media="https://search.yahoo.com/mrss/"
	>

The only difference between the two in Firefox’s page source viewer is that mine is shown with syntactic highlighting and the working feed is not (plus the working feed has an extra git about yahoo search, but I figure that’s not relevant).

I’m almost suspecting some weird line feed or carriage return problem. Because I can see no relevant difference between the working code and mine.

As a final clean-up note for your databases, not only should you check your active plugins database entry in wp_options, but in your wp_posts, and wp_postmeta tables, look for the following and delete these entries:

in wp_posts:
any post titled rzf.txt (or a filename/title you do not recognize). Make a note of the post_id if you find any of these.

in wp_postmeta:
entries that list an attachment for the post_id you noted above. They will have meta_keys of _wp_attached_file and _wp_attachment_metadata and post_ids matching any hidden posts you found above. the meta_value will point to files like rzf.txt, or the bad pngs and jpegs mentioned in prior posts

I was just doing some extra surveying of my site when I came across these entries I overlooked the first time around. Since I’d cleared the attachments out of uploads already, no extra harm done.

Hi,

Thanks. 4.0.2.2 seems to have taken care of the warning. Oh, and thanks for fixing the checkbox display too.

The only very minor thing is that at the top of the options page, beneath the links to your website and .htaccess tutorials, but above the “AskApache Password Protect” heading, I always see the following characters:

‘;

This seems purely cosmetic though. The plug-in appears to be working fine for me now.

Sorry for the late reply. I’ve been out of town…

I get this warning now using version 4.0.1. I probably won’t be able to upgrade to php 5.

Warning: Invalid argument supplied for foreach() in /wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 701

However, the setup seems to load fine. Will see what happens next.

Me again.

After studying the payload file, I would really appreciate someone more competent than me having a look:

1) To tell me the extent of the damage to my security. What exactly did the hack do and what did the hackers get from me?

2) To tell me if the steps mentioned by above posters are sufficient for getting rid of it. js.php seems to try to restore the hack, or embed stuff to restore it. It also seems to affect wp-includes/functions.php, or try to, which worries me, because I hadn’t seen that mentioned by anyone yet. I’m assuming my update to 2.5.1 clobbered whatever it did to functions.php, but I can’t be sure.

Just tell me who to communicate with to send the file to and I will pass it along.

Kat

I don’t know if this is helpful information to anyone trying to track down the source of this problem, but I’ll post it just in case.

I discovered the hack today when I tried to upgrade from 2.5 to 2.5.1. After following this thread, I found the offending lines of php code in one of my templates, plus all the rest.

Up until April 19, I was running WP 2.0.4. On April 19, I backed up my entire site in preparation for the move to 2.5.

I’ve had a look through that backup. On that date, my template files were OK. So the hack hadn’t been triggered yet. However, in my wp-content/uploads folder, there is a file called js.php, dated April 3.

This file seems to be the one with the payload for the hack. I’m not really a php coder but have enough of a software background to recognize it’s not doing nice things, and believe I’ve found the piece of code that injects the offending line of PHP code into the beginning of people’s files. The file makes several references to the following URL https://unurex.cn

Is there anyone I can send this file to for study? I’m not that familiar with the system around here.

Katrina

ultrasonic, this was a HUGE help.

I’ll be keeping an eye on my db for a while to see if more problems crop up.

Thanks so much for all the sleuthing.

Thanks!

.slaps forehead and goes off to read glossary ??

I am also seeing a similar problem. I had not been able to determine the pattern to these comments but now that you mention it, they all contained links. The last one had links to both external sites and other posts on my blog. I’ve just run a test and it turns out only the internal links generate these spurious comments.

The comment comes up as being from my post, with my post’s URI and with my ISPs IP address. The body is a snippet of the original post.

I use the recommended way of linking to internal posts:

<a href="https://www.myblog.com/journal/index.php?p=29">internal link</a>

I’m running wordpress 2.0.2